I want to design a sudo rule that will allow the user ricardo to update the system using aptitude, but prevent him from using sudo to run any other command (he's a problem user). Are there any pitfalls to this rule that I'm missing?

ricardo ALL=(root) /usr/bin/aptitude

Ricardo only uses aptitude, not apt-get. Also, I don't have Ubuntu installed anywhere at the moment, so I understand that /usr/bin/aptitude might not be the exact right file to allow.

the only pitfall I see is that, if he's a problem user, he can mess up the system with aptitude all the same.
–
roadmrFeb 21 '13 at 17:03

@roadmr True. Although still not perfect, would this command be a bit more suitable, but only allowing the user to update, but not remove packages? ricardo ALL=(root) /usr/bin/aptitude update, /usr/bin/aptitude dist-upgrade
–
Ricardo AltamiranoFeb 21 '13 at 17:23

Looks like you answered your own question :) what you posted seems to work and it only lets the user run aptitude with the specified parameters.
–
roadmrFeb 21 '13 at 17:51

@roadmr Should I post that as an answer or let you work it into yours?
–
Ricardo AltamiranoFeb 21 '13 at 17:53

1

you found out the answer, so I suggest you post it as an answer and then accept it. I did nothing but provide feedback.
–
roadmrFeb 21 '13 at 17:56

Upgrades installed packages to their most recent version. Installed
packages will not be removed unless they are unused

In contrast, full-upgrade:

Upgrades installed packages to their most recent version, removing
or installing packages as necessary. This command is less
conservative than safe-upgrade and thus more likely to perform
unwanted actions. However, it is capable of upgrading packages that
safe-upgrade cannot upgrade.

Use your best judgement for which the user should be allowed to run. If you're unsure, use the first rule, which only allows safe-upgrade.

Note that if you want to allow a user to install packages (which greatly reduces any benefit to security, but hypothetically), you need to include a * after the aptitude command, i.e.

I can not actually see anything wrong with that sudoers line. Unfortunately, I have not messed around with sudo's configuration settings that much, so in that case, my advice may not be reliable. Fortunately, what I can do is give you a line that I do know is safe:

ricardo ALL=/usr/bin/aptitude

This line is guaranteed to only let ricardo execute aptitude as root, as long as ricardo is not a member of a sudo-enabled group, such as sudo or admin.

The command I posted is identical to yours, except that my command won't allow ricardo to run aptitude as any other user. Yours might have the same restriction, but the command I posted makes it explicit.
–
Ricardo AltamiranoFeb 21 '13 at 17:27